Upgrading a Palo Alto VM to PAN-OS 8

January 19, 2018

Palo Alto networks introduced the virtualised version of their firewall with PAN-OS 5.0. The first version only supported VMware ESXi as a hypervisor wheras newer PAN-OS versions supports a number of different hypervisors.

The system requirements has been consistent throughout the different versions, but a change happend from version 7.1 to 8.0. Version 8.0 requires a 60 GB hard drive where previously 40 GB was enough. To move from 40 GB to 60 GB there is a bit of a path to follow. Palo Alto has a guide for the upgrade, but the guide is very generic and leaves much to be desired. As I have been through the upgrade process for both VMware and Hyper-V I thought I would elaborate a bit on the steps.

The overall process

Check the system requirements for your VM model (there has been a change in memory requirements)

If needed, shut down the firewall and allocate the required amount of memory

Upgrade firewall to wanted 8.0.x version

Add hard drive

Clone data fra 40 GB hdd to 60 GB hdd

Remove old hard drive

Boot the firewall

Upgrade complete

Most of these are simple instructions to follow, with the disk cloning part being the part needing a bit of elaboration.

Hyper-V

To add the disk to the firewall during live operation the firewall needs to be identified as CentOS. With this you can add the disk as a SCSI disk. After adding the disk, enter the CLI and run the command request system clone-system-disk target sdb.

Note that this is done on the 8.0 version (it’s not that clear from PAN guide). You will be presented with a warning saying the cloning process will take up to 20 minutes. After accepting this the firewall will reboot into disk cloning mode.

When the process is finished, power off the firewall (it’s not automatic) and remove the old 40 GB disk. Move the new disk to the position of the old disk in Hyper-V.

After powering on the firewall the upgrade is complete and the 60 GB disk is now the main disk for the firewall.

VMware

The difference with VMware is that the disk cannot be added during live operation. It is necessary to completely power off the firewall before adding the new disk. Power it on and you are able to run the cloning command (request system clone-system-disk target sdb). After this the process is the same as with the Hyper-V version.

If you try to add the disk during live operation you will get an error ‘Invalid disk name’ when running the cloning command.

Something to notice is that the firewall seems to run version 8.0 on both hypervisors with a 40 GB disk as well. I have had some firewalls running for a while only on the 40 GB disk without problems. Of course this is not recommended as you will not be able to get the necessary support from PAN if an issue occurs.